That's just a sad deluded excuse and also last year's method. There is a core to WebKit certainly, but the way it works in Safari has seen it extended with Apple's own code and APIs and the way it is implemented on OS X. Then there is the whole DashBoard implementation which is a whole other level and another can of worms.

If it really was WebKit then we would have seen WebKit browsers on Windows, such as Chrome or even Safari, or Chrome on Linux being easy targets. We haven't. As Miller said in TFA:

He makes a clear distinction between the browser and the underlying operating system, stating that for example while Firefox on Windows is very hard to crack, Firefox on Mac OS X is easy, because Mac OS X lacks all the anti-exploit features Windows has built-in. "The things that Windows do to make it harder [for an exploit to work], Macs don't do," Miller says, "Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows."

Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.

Chrome is a WebKit using browser:

There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of.